Using Xrfkey headers

A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. To protect against this vulnerability, calls to the Qlik Sense Repository Service (QRS) API must include the following:

Xrfkey parameter: Must equal 16 arbitrary characters. The characters can be changed between calls to the API.

x-Qlik-Xrfkey: Custom HTTP header. The format is as follows:

x-Qlik-Xrfkey: <The same 16 characters as used for the Xrfkey parameter>

Note: The only characters that are allowed for use in the Xrfkey parameter are 0 - 9, a - z, and A - Z.

Example:

The following API call returns all server node configurations in the repository database: